How to Communicate Security Assessment Results

By Kevin Beaver

You may need to organize your vulnerability information into a formal document for management or your client so they can assess the risk of hacking in their own company. This is not always the case, but it’s often the professional thing to do and shows that you take your work seriously. Ferret out the critical findings and document them so that other parties can understand them.

Graphs and charts are a plus. Screen captures of your findings — especially when it’s difficult to save the data to a file — can add a nice touch to your reports and show tangible evidence that the problem exists.

Document the vulnerabilities in a concise, nontechnical manner. Every report should contain the following information:

  • Date(s) the testing was performed

  • Tests that were performed

  • Summary of the vulnerabilities discovered

  • Prioritized list of vulnerabilities that need to be addressed

  • Recommendations and specific steps on how to plug the security holes found

If it will add value to management or your client (and it often does), you can add a list of general observations around weak business processes, management’s support of IT and security, and so on along with recommendations for addressing each issue.

Most people want the final report to include a summary of the findings — not everything. The last thing most people want to do is sift through a 5-inch-thick stack of papers containing technical jargon that means very little to them. Many consulting firms have been known to charge an arm and a leg for this very type of report, but that doesn’t make it the right way to report.

Many managers and clients like receiving raw data reports from the security tools. That way, they can reference the data later if they want but aren’t mired in hundreds of hard-copy pages of technical gobbledygook. Just make sure you include the raw data in the Appendix of your report or elsewhere and refer the reader to it.

Your list of action items in your report might include the following:

  • Enable Windows security auditing on all servers — especially for logons and logoffs.

  • Put a secure lock on the server room’s door.

  • Harden operating systems based on strong security practices from the National Vulnerabilities Database and the Center for Internet Security Benchmarks/Scoring Tools.

  • Use a cross-cut paper shredder for the destruction of confidential hard-copy information.

  • Require strong PINs or passphrases on all mobile devices and force users to change them periodically.

  • Install personal firewall/IPS software on all laptops.

  • Validate input in all web applications to eliminate cross-site scripting and SQL injection.

  • Apply the latest vendor patches to the database server.

As part of the final report, you might want to document employee reactions that you observe when carrying out your ethical hacking tests. For example, are employees completely oblivious or even belligerent when you carry out an obvious social engineering attack? Does the IT or security staff completely miss technical tip-offs, such as the performance of the network degrading during testing or various attacks appearing in system log files?

You can also document other security issues you observe, such as how quickly IT staff or manager services providers respond to your tests or whether they respond at all.

Guard the final report to keep it secure from people who are not authorized to see it. An ethical hacking report and the associated documentation and files in the hands of a competitor, hacker, or malicious insider could spell trouble for the organization. Here are some ways to prevent this from happening:

  • Deliver the report and associated documentation and files only to those who have a business need to know.

  • When sending the final report, encrypt all attachments, such as documentation and test results, using PGP, encrypted Zip format, or secure cloud file-sharing service. Of course, hand delivery is your most secure bet.

  • Leave the actual testing steps that a malicious person could abuse out of the report. Answer any questions on that subject as needed.